FRAMEWORKS & METHODOLOGIES

Transcription

1 FRAMEWORKS & METHODOLOGIES

2 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 2 Copyright 2014 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc., 366 Bay Street, Suite 1200, Toronto, Ontario, Canada M5H 4B2.

3 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 3 Nymity Privacy Management Accountability Framework The Nymity Privacy Management Accountability Framework ( Framework ) is a comprehensive listing of over 150 privacy management activities identified through Nymity s global data privacy accountability research. The privacy management activities are structured in 13 privacy management processes, and are jurisdiction and industry neutral. Originally designed for demonstrating accountability, the Framework is now also used by organizations for other privacy management purposes: Demonstrating Accountability Demonstrate that an effective privacy program is in place, or in other words, demonstrate accountability, for: BCR Implementation and Monitoring Save time and resources with this Framework when implementing and monitoring Binding Corporate Rules (BCR) in your organization. Nymity provides additional free resources for organizations wishing to use the Framework for this purpose. Evidencing Safe Harbor Support the Safe Harbor Self-Certification process by using documentation as evidence of meeting Safe Harbor obligations. Nymity provides additional free resources for organizations wishing to use the Framework for this purpose. Audit/Privacy Seal Preparation Prepare for an internal or external assessment, such as a privacy seal - this Framework is effective for assembling the necessary documentation and facilitating more effective collaboration between the auditor and audited. Other Privacy Management Uses Organizations have found the Framework to be helpful when: Structuring the Privacy Program Structure your privacy program based on the 13 Privacy Management Processes. This processbased approach helps ensure privacy management is implemented not as a project, but on an ongoing process. Baselining and Program Planning Quickly baseline privacy management across your organization by simply removing the Not/Applicable privacy management activities and identifying which of the remaining activities have been implemented, are planned, or are desired. Benchmarking Use the baselining information to compare your program with others using the same structure of Not Applicable, Desired, Planned or Implemented. For the detailed process, obtain the free baselining and benchmarking paper, Nymity Privacy Accountability Baselining and Benchmarking Methodology at DPA Self-Reporting/Self-Attestation Stand-ready to demonstrate accountability, ondemand, with evidence, to a Data Protection Authority (DPA). Some organizations currently use this Framework to be prepared to show duediligence in the event of an investigation. Nymity is currently researching the possible role of DPA Self-Attestations. Management Reporting Report privacy management in a meaningful and simple way to senior management, C-Suite and Board level. Understanding Best Practices Use the framework as a comprehensive, up-to-date, listing of privacy management activities. Gain insight into how other organizations are implementing activities to enhance privacy management and to demonstrate accountability. A free demonstrating accountability toolkit, including a free spreadsheet, book, training videos, and other resources, is available at

4 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 4 Nymity is a research company and, as such, continuously updates the Privacy Management Activities. The Framework will continue to evolve as the privacy landscape changes and more organizations adopt it as an approach to communicating the status of their privacy programs. Should you wish to submit or request new Privacy Management Activities, please share them with Nymity at research@nymity.com. This section lists the Privacy Management Activities, as of February An up-to-date version is available in Appendix A in The Privacy Office Guide to Demonstrating Accountability, as well as other resources at

5 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 5 13 Privacy Management Processes The privacy management activities in the Framework are categorized into 13 Privacy Management Processes which are: 1. Maintain Governance Structure Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures - Conduct a Privacy Risk Assessment - Maintain a Privacy Strategy - Maintain a privacy program charter/mission statement - Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) - Assign accountability for data privacy at a senior level - Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) - Assign responsibility for data privacy - Appoint a representative in member states where the organization does not maintain a physical presence - Conduct regular communication between individuals accountable and responsible for data privacy - Consult with stakeholders throughout the organization on data privacy matters - Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board) - Integrate data privacy into business risk assessment/reporting - Maintain a Code of Conduct - Maintain ethics guidelines - Maintain a strategy to align Activities with legal requirements (e.g., address conflicts, differences in standards, creating rationalized rule sets) - Require employees to acknowledge and agree to adhere to the data privacy policies - Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, third parties, clients) Notes: Activities relating to maintaining a data privacy policy are discussed on PMP 3 Maintain a Data Privacy Policy

6 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 6 2. Maintain Personal Data Inventory Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data - Maintain an inventory of key personal data holdings (what personal data is held and where) - Classify personal data holdings by type (e.g. sensitive, confidential, public) - Obtain approval for data processing (where prior approval is required) - Register databases with data protection authority (where registration is required) - Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) - Maintain documentation for all cross- border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) - Use Binding Corporate Rules as a data transfer mechanism - Use Standard Contractual Clauses as a data transfer mechanism - Use Cross-Border Privacy Rules as a data transfer mechanism - Use the Safe Harbor framework as a data transfer mechanism - Use Data Protection Authority approval as a data transfer mechanism - Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public interest) as a data transfer mechanism Notes: All Activities related to notification of processing and registration of databases should be included in this management process All Activities related to cross border transfer should be included in this management process. Activities relating to maintaining a listing of third-parties and affiliates are discussed in PMP 7 Manage Third Party Risk PMP 10 Monitor for New Operational Practices includes the requirement to update the personal data inventory

7 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 7 3. Maintain Data Privacy Policy Maintain a data privacy policy that meets legal requirements and addresses operational risk - Maintain a data privacy policy - Maintain a separate employee data privacy policy - Document legal basis for processing personal data - Document guiding principles for consent Notes: - Obtain board approval for data privacy policy The privacy policy is not synonymous with the privacy notice the policy communicates the organization s guiding principles internally, while the notice communicates the organization s data handling practices externally (see PMP 8 Maintain Notices) Operational policies and guidelines are discussed in PMP 4 Embed Data Privacy into Operations Training and Awareness policies are included in PMP 5 Maintain Training and Awareness Program Security policies are included in PMP 6 Maintain Security Controls Policies relating to outsourcing (by third-parties or affiliates) are included in PMP 7 Manage Third Party Risk Policies for processing access requests are discussed in PMP 9 Manage Procedures for Inquiries and Complaints Data Breach response policies are included in PMP 11 Maintain Data Privacy Breach Management Program

8 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 8 4. Embed Data Privacy Into Operations Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives - Maintain policies/procedures for collection and use of sensitive personal data (including biometric data) - Maintain policies/procedures for maintaining data quality - Maintain policies/procedures for pseudonymization/anonymization of personal data - Maintain policies/procedures for secondary uses of personal data - Maintain policies/procedures for collecting consent preferences - Maintain policies/procedures for secure destruction of personal data - Integrate data privacy into use of cookies and tracking mechanisms - Integrate data privacy into records retention practices - Integrate data privacy into direct marketing practices - Integrate data privacy into marketing practices - Integrate data privacy into telemarketing practices - Integrate data privacy into behavioural advertising practices - Integrate data privacy into hiring practices - Integrate data privacy into employee background check practices - Integrate data privacy into social media practices - Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures - Integrate data privacy into health & safety practices - Integrate data privacy into interactions with works councils - Integrate data privacy into practices for monitoring employees - Integrate data privacy into monitoring practices - Integrate data privacy into use of CCTV/video surveillance - Integrate data privacy into use of geo- location (tracking and or location) devices - Integrate data privacy into delegate access to employees' company accounts (e.g. vacation, LOA, termination) - Integrate data privacy into e-discovery practices - Integrate data privacy into conducting internal investigations - Integrate data privacy into practices for disclosure to and for law enforcement purposes - Integrate data privacy into customer/patient/citizen facing practices (e.g. retail sales, provision of healthcare, tax processing) - Integrate data privacy into back office/administrative procedures (e.g. facilities management) - Integrate data privacy into financial operations (e.g. credit, billing, processing transactions) - Integrate data privacy into research practices

9 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 9 5. Maintain Training and Awareness Program Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks - Conduct data privacy training needs analysis by position/job responsibilities - Maintain a core training program for all employees - Conduct training for newly appointed employees upon assignment to privacy-sensitive positions - Maintain a second level training program reflecting job specific content - Conduct regular refresher training to reflect new developments - Integrate data privacy into other training programs, such as HR, security, call centre, retail operations training - Measure participation in data privacy training activities (e.g. numbers of participants, scoring) - Require completion of data privacy training as part of performance reviews - Deliver a privacy newsletter, or incorporate privacy into existing corporate communications - Maintain ongoing awareness material (e.g. posters, intranet, and videos) - Maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and information - Hold an annual data privacy day/week - Measure comprehension of data privacy concepts using exams - Provide data privacy information on system logon screens - Maintain certification for individuals responsible for data privacy, including continuing professional education - Conduct one-off, one-time tactical training and communication dealing with specific, highlyrelevant issues/topics - Provide ongoing education and training for the privacy office (e.g. conferences, webinars, guest speakers)

10 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Manage Information Security Risk Maintain an information security program based on legal requirements and ongoing risk assessments - Conduct a security risk assessment which considers data privacy risk - Maintain an information security policy - Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) - Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media - Maintain an acceptable use of information resources policy - Maintain procedures to restrict access to personal information (e.g. role-based access, segregation of duties) - Maintain a corporate security policy (protection of physical premises and hard assets) - Maintain human resource security measures (e.g. pre-screening, performance appraisals) - Maintain backup and business continuity plans - Maintain a data-loss prevention strategy - Maintain procedures to update security profile based on system updates and bug fixes - Conduct regular testing of data security posture - Maintain a security verification Notes: Training related to security is included in PMP 5 Maintain Training and Awareness Program

11 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Manage Third-Party Risk Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance - Maintain data privacy requirements for third parties (e.g. vendors, processors, affiliates) - Maintain procedures to execute contracts or agreements with all processors - Maintain a vendor data privacy risk assessment process - Conduct due diligence around the data privacy and security posture of potential vendors/processors - Maintain a policy governing use of cloud providers - Maintain procedures to address instances of non-compliance with contracts and agreements - Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment - Review long-term contracts for new or evolving data protection risks

12 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Maintain Notices Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance - Maintain a data privacy notice that details the organization s personal data handling policies - Provide data privacy notice at all points where personal data is collected - Provide notice by means of on- location signage, posters - Provide notice in marketing communications (e.g. s, flyers, offers) - Provide notice in all forms, contracts and terms - Maintain scripts for use by employees to provide the data privacy notice - Maintain a data privacy notice for employees (processing of employee personal data) - Maintain a privacy Seal or Trustmark to increase customer trust - Provide data privacy education to individuals (e.g. preventing identity theft)

13 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Maintain Procedures for Inquiries and Complaints Maintain effective procedures for interactions with individuals about their personal data - Maintain procedures to address complaints - Maintain procedures to respond to access requests - Maintain procedures to respond to requests to update or revise personal data - Maintain procedures to respond to requests to opt-out - Maintain procedures to respond to requests for information - Maintain customer Frequently Asked Questions - Maintain escalation procedures for serious complaints or complex access requests - Maintain procedures to investigate root causes of data protection complaints - Maintain metrics for data protection complaints (e.g. number, root cause)

14 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Monitor for New Operational Practices Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles - Maintain a Privacy by Design framework for all system and product development - Maintain PIA guidelines and templates - Conduct PIAs for new programs, systems, processes - Maintain a procedure to address data protection issues identified during PIAs - Maintain a product sign-off procedure that involves the privacy office - Maintain a product life cycle process to address privacy impacts of changes to existing programs, systems, or processes - Maintain metrics for PIAs (e.g. number completed, turnaround time) Notes: All Activities related to audits and assessments of existing operational practices are included in PMP 12 Monitor Data Handling Practices

15 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Maintain Data Privacy Breach Management Program Maintain an effective data privacy incident and breach management program - Maintain a documented data privacy incident/breach response protocol - Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) and protocol - Maintain a breach incident log to track nature/type of all breaches - Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) - Conduct periodic testing of breach protocol and document findings and changes made - Engage a breach response remediation provider - Engage a forensic investigation team - Obtain data privacy breach insurance coverage - Maintain a record preservation protocol to protect relevant log history

16 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Monitor Data Handling Practices Verify operational practices comply with the data privacy policy and operational policies and procedures - Conduct self-assessments managed by the privacy office - Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches - Conduct audits/assessments of the privacy program outside of the privacy office (e.g. Internal Audit) - Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units) - Conduct ad-hoc walk-throughs - Conduct assessments through use of an accountability agent or third party verification - Maintain privacy program metrics Notes: Activities such as Privacy Impact Assessments used for new operations are included in PMP 10 Monitor for New Operational Practices

17 NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER Track External Criteria Track new compliance requirements, expectations, and best practices - Conduct ongoing research on developments in law - Maintain subscription to compliance reporting service/law firm updates to stay informed on new developments - Attend/participate in privacy conferences, industry association, or think-tank events - Record/report on the tracking of new Rule Sources or amendments to Rule Sources - Seek legal opinions regarding recent developments in laws - Document that new requirements have been implemented (also document where a decision is made to not implement any changes, including reason) - Maintain records or evidence that alerts are read and actions are taken (e.g. read daily and forwarded to key individuals as required) - Review or participate in studies related to best practices in data privacy management

18 PRIVACY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 18 About Nymity Nymity is a global research company specializing in compliance tools for the privacy office. Established in 2002, Nymity is 100% dedicated to data privacy compliance and effective privacy management. Nymity empowers organizations to comply with confidence. Compliance Needs of the Privacy Office At Nymity, we appreciate that the roles and responsibilities of the privacy office within any organization are dynamic and challenging. Our research indicates that organizations create a privacy office for a number of reasons including laws and regulations, enforcement actions, data breach, competitive differentiation, and corporate culture. Regardless of where the privacy office resides within an organizational structure, the industry or jurisdiction, our research confirms that the roles and responsibilities of the privacy office are universal, and include: Advising Stakeholders liaising with operational units to ensure compliant practices and responsible personal data processing; Maintaining the Privacy Program maintaining a governance structure, policies, procedures, notices, training and awareness, data security, vendor management, breach response protocol, and much more; Responding to Data Breaches leading the team through privacy incident and breach responses; Responding to Inquiries and Complaints handling interactions with customers, employees, law enforcement authorities, and regulators; and Professional Development increasing the knowledge and skills of the individuals in the privacy office. How Nymity Supports the Privacy Office Nymity has an established history of supporting the privacy office through its innovative research tool, Privaworks. PrivaWorks is complemented by the following subscription-based software tools: Research Tools Description Benefits Library of analyzed compliance research. Rule maps, charts, and tables. Summary analysis of laws. Quickly understand compliance obligations and best-practices. Quickly report on rules of law based on specific needs. Understand obligations without reading the laws. Management Tools Description Benefits Compare your privacy program. Baseline, compare, plan and report privacy management.

19 PRIVACY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 19 How-to guides for privacy management. Custom jurisdictional heat maps. Demonstrate accountability and compliance. Manage BCR or Safe Harbor with Attestor. Build and enhance the privacy program. Monitor and report on the regulatory risk landscape. Manage and report on the privacy program. Cost-effectively implement and monitor. Nymity Research As a global research company specializing in compliance software tools for the privacy office, Nymity approaches data privacy compliance scientifically. Nymity s research team of privacy lawyers, privacy analysts, and former chief privacy officers continually creates innovative methodologies and frameworks, which serve as the foundation for Nymity s compliance tools. Nymity s research team encapsulates its structured, systematic analysis into Nymity s compliance tools through continuous research and delivery of relevant content. As a complementary service, some of Nymity s research is made available for free to the global privacy community. Nymity Frameworks and Methodologies Nymity s frameworks and methodologies are available for free to support privacy management in organizations of any size, sector/industry, or in any jurisdiction. The primary audience for these documents is the organization s privacy office and thus, some knowledge of privacy management and compliance is beneficial. Free Privacy Papers, Books, and Toolkits Description Demonstrating accountability is more than reporting, even more than reporting with evidence. It is the ability to show that a privacy program is managed and monitored. The ultimate goal of the privacy office in many organizations is to be able to answer the question, how do we know that the privacy program is effectively embedded throughout the organization?, in other words, to be accountable and to be able to demonstrate it. This book is a guide for the privacy office to demonstrate accountability using the free framework - Nymity Data Privacy Accountability Scorecard - available in the free Demonstrating Accountability Toolkit. Free Download

20 PRIVACY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 20 Free Privacy Papers, Books, and Toolkits Privacy Management Accountability Framework White Paper Free Download Description This paper provides an in-depth understanding of a methodology for baselining privacy management/accountability in any organization regardless of size, sector/industry, jurisdiction, or maturity of the privacy program. It also enables organizations to compare privacy management with others using this methodology. This paper includes all necessary tools to baseline and benchmark privacy management for free as well as provides an understanding of the underlying methodology for the software tool, Nymity Benchmarks. Privacy Accountability Baselining and Benchmarking Methodology White Paper Free Download This privacy framework is a comprehensive, jurisdiction- and industry-neutral listing of 150+ Privacy Management Activities within 13 Privacy Management Processes. The framework is structurally aligned with how privacy programs are maintained, and can be tailored to fit the unique circumstances of any organization. The Privacy Management Accountability Framework was originally developed for communicating the status of the privacy program, or in other words, for demonstrating accountability. The Framework is also being used by organizations for: baselining and planning the privacy program; structuring the privacy program; benchmarking; BCR implementation and monitoring; Safe Harbor self-attestations; audit preparation; and regulatory self-regulation/selfattestations. Privacy Reference Analysis Methodology White Paper Free Download Privacy Rules Categorization Methodology White Paper Free Download Privacy Compliance Attestation Methodology White Paper Free Download This white paper provides an in-depth understanding of the Nymity research methodology for analyzing privacy compliance documents such as regulatory authority documents, case law, and best-practices documents. The paper provides readers a proven process to analyze compliance documents and gain insight into the underpinnings of Nymity References and PrivaWorks. This white paper provides an in-depth understanding of the Nymity research methodology for analyzing privacy laws, regulations, codes, and standards. The paper provides readers a proven process to analyze privacy laws plus gain insight into the underpinnings of Nymity LawReports and PrivaWorks. This white paper provides an in-depth understanding of a pragmatic methodology for attesting compliance to privacy laws, regulations, codes, and standards, providing readers with a proven approach to demonstrate compliance with evidence. The paper also provides insight into the underpinnings of Nymity s software tool, Attestor. Privacy Regulatory Risk Methodology White Paper Free Download This white paper provides an in-depth review of the Nymity methodology for measuring regulatory privacy risk, which is the risk to an organization when processing personal data due to privacy law. This methodology provides insight into the underpinnings of Nymity RiskMaps.

21 PRIVACY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK TM WHITE PAPER 21 Deeply Rooted in Data Privacy Compliance Through partnership with leading organizations including IAPP, CIPL, FPF, Ponemon Institute, the Information Accountability Foundation, USCIB, ICC, and LexisNexis, Nymity has an established foundation in data privacy. Through deep involvement in the privacy community, Nymity ensures that it remains at the forefront of research. Award-Winning, Innovative Approach to Data Privacy Compliance Nymity has an established history of innovating compliance our customers over the past twelve years can attest to this. Renowned for its unique approach to compliance, Nymity delivers relevant, analyzed research via innovative technology. In 2011, Nymity was recognized as a Gartner Cool Vendor in Risk Management, Privacy & Compliance. In 2012, Nymity was selected as a Global Hot 100 Company by the World Summit on Innovation and Entrepreneurship for its innovative research methodology. Innovating compliance is at the very core of Nymity. For more information, visit